President Biden Signs New Critical Infrastructure Cyber Incident Reporting Obligations Into Law

On March 15, as part of the Fiscal Year 2022 Consolidated Appropriations Act, President Biden signed into law important new cyber incident reporting obligations for companies in critical infrastructure. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Act”) will eventually require certain critical infrastructure companies to report cybersecurity incidents within 72 hours and ransomware payments within 24 hours. But these requirements do not immediately go into effect. The Cybersecurity and Infrastructure Security Agency (“CISA”), which is part of the Department of Homeland Security, has 24 months to issue proposed rules to implement the law but may do so in advance of that deadline. Companies should carefully monitor the rulemaking efforts as the scope and new obligations could vary significantly depending upon CISA’s definition of key terms and articulation of core requirements. The Act is similar to the Senate bill we discussed in our prior alert, but drops the reporting requirements for contractors and grant awardees. Below, we reiterate a summary of some of the key provisions and terms of the Act. We also note the law takes a different approach than some other recent federal cybersecurity efforts.

Possible Overlap with Other Regulatory Efforts 

CISA, which has traditionally sought voluntary collaboration with the private sector, will maintain elements of that non-regulatory posture under the Act. The Act provides that information disclosed to CISA pursuant to the new law shall not be used by local, state, or federal governments to regulate or undertake enforcement actions against those reporting companies. Further, to alleviate potential privacy or anti-trust concerns with such reporting, the Act provides a shield to liability for the submission of reports to the government. It does not, however, provide protections for other disclosures and does not address other liabilities that could arise from the cyber incident itself. 

But not all federal agencies are pursuing this light regulatory approach. As discussed in our March 16 alert, the Securities and Exchange Commission (“SEC”) issued proposed rules to significantly modify cybersecurity obligations for public companies, whether in a critical infrastructure sector or not. Those obligations would require organizational changes within companies, increased transparency regarding cybersecurity measures, and new incident-reporting requirements. The SEC’s incident-reporting requirements, in particular, would be in addition to those required under the Act. And unlike the posture adopted by the Act, information disclosed or shared with the SEC could be the basis for regulatory action. 

The proposed SEC rule comes on the heels of its inquiry into the SolarWinds incident, a large-scale software supply chain compromise executed by Russian intelligence. The inquiry involved the SEC sending a large number of companies requests for information about whether they were victimized by SolarWinds, their response to the incident, and whether they had experienced related cyber incidents. What the SEC will do with the information it collected, and whether there will be any enforcement actions, remains to be seen.    

Nevertheless, with the issuance of the proposed rule, the SEC has demonstrated a willingness to be a significant player in federal cybersecurity regulation. Between the Department of the Treasury’s push to incentivize companies to report ransomware payments to the government and the Department of Justice’s Cyber Civil Fraud Initiative, which seeks to hold government contractors accountable for their cybersecurity representations, the landscape of government cybersecurity regulation is becoming increasingly complex. CISA has been very active with non-regulatory actions, including issuing regular security alerts, releasing guidance on ransomware preparation and response, and cataloguing free cybersecurity resources. The new CISA regulations, when they eventually come into force, will be entering an already crowded field, making industry feedback on any proposed rules even more critical. In the meantime, companies should be evaluating these new proposals to determine whether it will be necessary to modify their cybersecurity policies and incident response plans to eventually comply with these new obligations.

New Obligations

• 72-Hour Reporting Requirement: A covered entity that experiences a covered cyber event shall report the covered cyber incident to CISA not later than 72 hours after the covered entity reasonably believes that the covered cyber event has occurred.
• 24-Hour Ransomware Reporting Requirement: A covered entity that makes a ransom payment as the result of a ransomware attack against the covered entity shall report the payment to CISA not later than 24 hours after the ransom payment has been made.
• Supplemental Reports: If substantial new or different information becomes available or if the covered entity makes a ransom payment after submitting a covered cyber incident report, a covered entity shall promptly submit to CISA an update or supplement to such previously submitted report until such date that the covered entity notifies the Agency that the covered cyber incident at issue has concluded and has been fully mitigated and resolved.
• Data Preservation: Covered entities making the reports discussed above shall preserve data relevant to the covered cyber incident or ransom payment in accordance with rules to be established by CISA.

Terms to be Defined

• Covered Entity: CISA will define what types of entities constitute “covered entities,” taking into account how their disruption or compromise would impact “national security, economic security, or public health and safety”; the likelihood of being targeted by a malicious cyber actor; and the relative vulnerability of those entities to disruption.
• Covered Cyber Event: CISA will define what types of substantial cyber incidents would constitute a “covered cyber event,” which, at a minimum, will include incidents that lead to substantial loss of confidentiality, integrity or availability of an information system of network; a disruption of business or industrial operations; or unauthorized access or disruption due to the impact on a cloud or managed service provider.
• Contents of Reports: CISA will articulate the mandatory contents of reports, which will include, amongst other things, a description of the event, the vulnerabilities exploited, the contact information of the threat actor, and the amount of any ransom paid.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Greta Lichtenbaum, an O’Melveny partner licensed to practice law in the Distict of Columbia, Tod Cohen, an O’Melveny partner licensed to practice law in California, Randall Edwards, an O'Melveny partner licensed to practice law in California, John Dermody, an O'Melveny partner licensed to practice law in the District of Columbia and California, and Joshua Goode, an O’Melveny associate licensed to practice law in the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2022 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.